Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Features

  • Credential/Identity Monitoring now includes various VPN, cryptocurrency wallet, and other applications.

  • In a (this is common) chain of affected processes during an attack (attacker moves from running program A, to B, to C, and D is used for data theft), the “patient 0” program A is suspended, but patient D is reported as the process performing the theft behavior.

    • Memory state is preserved and reported throughout the process chains, for future forensic analysis.

  • In the event of an automated response in which a running process' memory was modified, that memory modification is configurably uploaded to Cyber Crucible for reverse engineering and further analysis.

  • In the event of a non-malicious memory modification bug in an application, behavioral exceptions (“whitelists”) now have the ability to flag certain memory corruption events as benign. This will not stop the program itself from crashing or losing data due to the bug, but Cyber Crucible will know to ignore the bug while searching for malicious injection of code into running processes (process injection/hollowing).

Fixes

  • Removed vulnerability where binaries could be deleted by a privileged process while CC binaries are updating.

  • Removed vulnerability where registry keys could be deleted or altered by a privileged process while CC binaries are updating.

  • Corrected memory state tracking when a process is patched in-memory during Cyber Crucible evaluation of the memory.

  • Corrected memory state tracking under certain conditions where memory is re-allocated between memory pages.

  • Minor CPU efficiency updates, that are likely too minor to register in Task Manager, since usage is normally <1%

WHCP/WHQL Validation Status

Validated

MD5 Hashes

service.exe   = 90a6ca2f5b7a76b847052f3d420f0c9b
assistant.exe = b62ee623f74171f4a3f34ff129188174
CCRRSecMon.sys (Windows10)       = dfdce4016f6920e844615b3d506ec2e2
CCRRSecMon.sys (Windows8)        = 59bbd41c883ca0205fd3adbfdbb5dbb6
CCRRSecMon.sys (Windows7)        = 88e6f047f7fa26e717a24f5fd7b33dc5

4.4.1.3.1

Gained visibility into some system processes that initialize before the Cyber Crucible driver loads.

MD5 Hashes:

service.exe: a03b91df83f86ffe322f7b16960f503c
assistant.exe: e22641924d3a1811b86a0f4357f74720
win7/CCRRSecMon.sys: b64b63c04f00afd1020a7a43fc0bb67d
win8/CCRRSecMon.sys: c50aacb4aac6ac9f1e95e4ffa749cb2a
win10/CCRRSecMon.sys: 77dd029b8e4b2cf5a2354787402ecc17

4.4.1.3.2

Added additional telemetry for the now-visible system processes due to 4.4.1.3.1.

MD5 Hashes:

service.exe: 47f408d6102eb06a94f2244cf139a0a5
assistant.exe: 86733da51ee703f93dcda9346231cca6
win7/CCRRSecMon.sys: b01e8933fa9ac9f0a049527b20d9f679
win8/CCRRSecMon.sys: 4467124cf7e8b5ab5652169f9eb41663
win10/CCRRSecMon.sys: 8f06de95303eeac038002ec27c297811

4.4.1.3.3

Fixed some incident reports including data for the wrong process, when a process dies mid-calculation.

MD5 Hashes:

service.exe: f2a341ca4856ab3f8a15b7cf725cd0cc
assistant.exe: 5d5d2213e276bc066f4d42ab751c7317
win7/CCRRSecMon.sys: 13da73b66751d12f5f3e65cde0602266
win8/CCRRSecMon.sys: 08fe8cb3391c9215bc37a997ec59b0a2
win10/CCRRSecMon.sys: 4c8a1707839f0d28c386f17ce2dbc8ed

4.4.1.3.4

Filler.

MD5 Hashes:

service.exe   = 4a5bd9822ea28c10f399afe437837a2a
assistant.exe = 7070e61862bc2ede3205c4bfdc6805d2
CCRRSecMon.sys (Windows10)       = 4e9b790522fe61e9206140e15e37b7fe
CCRRSecMon.sys (Windows8)        = 7b477503840f882028ff8bdbbfc72121
CCRRSecMon.sys (Windows7)        = 65e95b4dd58cb1c9a5dab398155e2113

  • No labels